I have said it before and I will say it again, many times the end point is the biggest security challenge. Why? Because it is very hard to know everything (or check anything) that runs on PC:s that users treats as something personal. Users wants to downloads stuff and store stuff on their PC:s..and sometimes the PC:s does not even belong to the company or the organisation. Users access corporate data using a cafe pc or their home pc. Will this trend change? Not likely as the difference between our working life and our private life becomes more and more diluted. We live a part of our life in cyberspace and companies needs to accept that company infrastructure (and security policies) needs to support that.
There are a couple of simple tricks to avoid the worst problems (apart from good antivirus systems and updated applications):
1. Make sure that split tunnelling is prevented.
2. Use 2-factor authentication
3. Give access for users on a need to know basis..to limit the damage if security is breached.
4. If the PC is really unknown...give the users an USB with a separate OS on it to use when they connect.
Now you probably ask where NAC fits into this model? It does but do not only rely on it as the only thing you need..and next time you buy an access system...make sure that end point security is a part of the product.
Thursday 30 April 2009
Wednesday 29 April 2009
Compliance, compliance..compliance
I had a discussion with an analyst yesterday about virtual security. His conclusion was that it was "early days" and few people actually talked about the security risks in the virtual world. When I asked him what security issues that where on managers minds today he replied..compliance.
My reflection is that the compliance discussion is the first time that security specialist has been able to build a bridge to managers where there seem to be an understanding from both parties. Maybe this is the even the first time security vendors have figured out a way of marketing security products in such a way that management can understand. Compliance is often about common sense but sense in order to be common has to be communicated in the right way.
Now I just hope that we vendors will not destroy the discussion by marketing products with slogans such as "by me and we will solve all your compliance issues...all the time..." That will erode the message fast. Vendors should learn from the experience from the discussion about SOX.
My reflection is that the compliance discussion is the first time that security specialist has been able to build a bridge to managers where there seem to be an understanding from both parties. Maybe this is the even the first time security vendors have figured out a way of marketing security products in such a way that management can understand. Compliance is often about common sense but sense in order to be common has to be communicated in the right way.
Now I just hope that we vendors will not destroy the discussion by marketing products with slogans such as "by me and we will solve all your compliance issues...all the time..." That will erode the message fast. Vendors should learn from the experience from the discussion about SOX.
Tuesday 28 April 2009
Do Government have a role in IT-Security?
Sometimes when I listen to politicians I get the feeling that they are looking for the perfect legislation that will fix all IT-Security issues in the world...which leaves us with many frustrated politicians...as there is no easy fix. The simple fact is that Internet is a big jigsaw puzzle and the beauty (and the cause of many problems) is that no-one "owns" the Internet. Internet profs the existence of an "invisible hand" where many forces co-exists with their own purpose to create something as fantastic as this gigantic electronic network. As in any parts of life, some forces are good...some are stupid and some are evil. Funny enough politicians often do not realise that they have legislation put in place already...there are laws against stealing...untruthful marketing and so on.
But I still think that our governments around the world has a job to do..make sure that they protect citizen data. Governments store an incredible amount of data about every citizen and they should protect our data with their life (or at least with their jobs). Why is this different from the enterprise world? Because I can choose to do or not to do business with a company but I cannot stop paying my taxes...(at least I have not tried).
One more thing, after they have done the job right they should share with the rest of the world how they secured our data so others can learn from what they done. The government is a big buyer and have more resources then most companies...and as it is our money they spend...let us make sure that we can learn from their mistakes.
Now we just have to convince them about this as well.
But I still think that our governments around the world has a job to do..make sure that they protect citizen data. Governments store an incredible amount of data about every citizen and they should protect our data with their life (or at least with their jobs). Why is this different from the enterprise world? Because I can choose to do or not to do business with a company but I cannot stop paying my taxes...(at least I have not tried).
One more thing, after they have done the job right they should share with the rest of the world how they secured our data so others can learn from what they done. The government is a big buyer and have more resources then most companies...and as it is our money they spend...let us make sure that we can learn from their mistakes.
Now we just have to convince them about this as well.
Friday 24 April 2009
Big Brother...or Big Mother
Sometimes I wonder when people will realise how easy it is to monitor activities on Internet. Today I have read a study about monitoring employee’s e-mails. In the study most companies actually had some kind of surveillance ; checking e-mails, checking where users surfed etc etc. I do not think that this comes as any surprise to anyone within the community but every time a story like this "breaks" it seems to come as an surprise to many people. The truth is that monitoring can be done on many levels: the company you work for, the operator, the OS provider, the application provider, the search engine company, the government to name same of them...and these are only the so called good guys..you can also add the bad guys.
In the end everybody needs to take some responsibility for their own level of security (and please do not think that you are to small or to un-interesting to be threatened) but from an organisational standpoint the monitoring possibilities creates risks. The first think to ask is who to trust, internally or externally. Do you trust your operator, your users, your application provider etc etc? Then you have to ask yourself with WHAT do you trust your partners? Are you willing to hand over customer-privileged information to an external cloud company as an example? You are being watched, but there are ways to avoid unnecessary risks. Make sure that you know what you do.
In the end everybody needs to take some responsibility for their own level of security (and please do not think that you are to small or to un-interesting to be threatened) but from an organisational standpoint the monitoring possibilities creates risks. The first think to ask is who to trust, internally or externally. Do you trust your operator, your users, your application provider etc etc? Then you have to ask yourself with WHAT do you trust your partners? Are you willing to hand over customer-privileged information to an external cloud company as an example? You are being watched, but there are ways to avoid unnecessary risks. Make sure that you know what you do.
Thursday 23 April 2009
More thougths about virtualisation
At my already mentioned meeting yesterday we discussed virtualisation. If you have been reading my blog for a while you probably know that I am slightly cautious when it comes to new technologies such as virtualisations. Everybody seems to jump on new technologies without thinking about security issues...and I want everybody to think before they jump.
Here is some simple advice to minimise security risks:
1. Install a firewall to protect the server
2. Give only granular access for users. This minimises the users access.
3. Do not virtualise applications that are really sensitive. Why, because if another applications running under the same hypervisor are insecure that insecurity can be used to compromise the hypervisor...and then the sensitive application is unprotected.
There is money to be saved with virtualisation, just make sure to do it without compromising the security.
What I really want to say is....think first
Here is some simple advice to minimise security risks:
1. Install a firewall to protect the server
2. Give only granular access for users. This minimises the users access.
3. Do not virtualise applications that are really sensitive. Why, because if another applications running under the same hypervisor are insecure that insecurity can be used to compromise the hypervisor...and then the sensitive application is unprotected.
There is money to be saved with virtualisation, just make sure to do it without compromising the security.
What I really want to say is....think first
Wednesday 22 April 2009
Thanks to an un-known person!
Today I am in Germany visiting one of my favourite customers (they know their security from inside and out..that is one of the reasons I like them). During my meeting I realised that I lost my wallet. We did spend a fair amount of time looking for it but it was no-where to be found. In the end we gave up and headed out of the parking area in our rented car. I was on the phone trying to call my bank etc etc when Anders (our support manager) who was doing the driving heard a bump from the roof and in the mirror caught a glimpse of my flying wallet ( or actually MY FLYING MONEY). One minute later I was running aorund on the motorway chasing flying money and credit cards. I think I found most of them…
I probably lost the wallet getting out of the car and a friendly person found it and placed on the car roof.
So thank you, who ever you are and thanks dear customer for a very interesting meeting today and please say thanks to your receptionist for her support (she was right...it was in the car..sort off)
I probably lost the wallet getting out of the car and a friendly person found it and placed on the car roof.
So thank you, who ever you are and thanks dear customer for a very interesting meeting today and please say thanks to your receptionist for her support (she was right...it was in the car..sort off)
Tuesday 21 April 2009
New technologies creates new opportunities
Sorry for just copying the press release but I think this is very interesting.
Jericho Forum Challenge winner AppGate makes information security accessible to everyone for free
AppGate’s security server, designed to provide security in an open-network environment, is now available as a free virtualized server
Stockholm, 21 April 2009 – AppGate Network Security a leader in network access control and information security has launched the AppGate Free Edition (AFE), a free-to-use version of the AppGate security server and part of the recently launched V9.0 family, which will be demonstrated at this year’s InfoSecurity Europe. The AFE is a fully functional, virtualized version of the AppGate security server that can run on almost any virtual platform, for example VMware. AppGate takes a different approach to information security, as advocated by Jericho Forum, and the AppGate solution is designed to address the challenges of securing data and applications in an open, Internet-driven world. With the AFE, every organisation now has access to this technology.
Organisations are dependent more than ever on use of the Internet, for flexible working for employees, collaboration with partners, and taking advantage of services in “the cloud”. While there are potentially huge benefits, there are also considerable risks. Jericho Forum, the high level independent user group that is leading the way in analysing the security issues and raising awareness, called for a new approach to information security moving away from border-centric mechanisms to enable the secure flow of data over the Internet. The AppGate solution embodies much of this thinking, moving security as close as possible to the source.
“AppGate was a worthy winner of the Jericho Forum challenge four years ago and continues to follow many of the Jericho Forum design principles, championing the cause of open source” said Ian Dobson, Director of the Jericho Forum.
AppGate has developed a real solution to the challenge of securing IT architecture in today’s open-collaboration environment, and it runs on OpenSolaris, a UNIX-based operating system.” In AppGate's solution, the central firewall is replaced by a set of distributed firewalls that are installed on all clients and servers. These firewalls are centrally controlled and configured dynamically to allow or deny traffic on the network. Making AppGate’s security server available on the OpenSolaris operating system is consistent with its corporate rollout strategy, and AppGate regards it as the next phase of evolution in the IT security market.
“At AppGate we have always been a great supporter of the principles of open source”, says Tomas Olovsson CTO of AppGate. “MindTerm, one of our products has been available as source code and free of charge for personal and limited commercial use for many years. By launching the AppGate Free Edition we are following the same principle, giving people the unique opportunity to freely test and use the functionality of the AppGate solution even in smaller commercial environments.”
AppGate will be demonstrating the V9.0 security server at InfoSecurity Europe on stand R70 between April 28th and April 30th. AppGate won the first Jericho Forum Challenge in 2005 with a paper entitled “Balancing the Equation; Enterprises moving to the de-perimeterised world need to adopt a ‘core’ mentality based on controlled access to systems”.
As always AppGate security servers build on existing proven functionality such as:
Application Layer Firewall
Mobile & Fixed VPN
Granular & Role based Access
End-point Security Control
Jericho Forum Challenge winner AppGate makes information security accessible to everyone for free
AppGate’s security server, designed to provide security in an open-network environment, is now available as a free virtualized server
Stockholm, 21 April 2009 – AppGate Network Security a leader in network access control and information security has launched the AppGate Free Edition (AFE), a free-to-use version of the AppGate security server and part of the recently launched V9.0 family, which will be demonstrated at this year’s InfoSecurity Europe. The AFE is a fully functional, virtualized version of the AppGate security server that can run on almost any virtual platform, for example VMware. AppGate takes a different approach to information security, as advocated by Jericho Forum, and the AppGate solution is designed to address the challenges of securing data and applications in an open, Internet-driven world. With the AFE, every organisation now has access to this technology.
Organisations are dependent more than ever on use of the Internet, for flexible working for employees, collaboration with partners, and taking advantage of services in “the cloud”. While there are potentially huge benefits, there are also considerable risks. Jericho Forum, the high level independent user group that is leading the way in analysing the security issues and raising awareness, called for a new approach to information security moving away from border-centric mechanisms to enable the secure flow of data over the Internet. The AppGate solution embodies much of this thinking, moving security as close as possible to the source.
“AppGate was a worthy winner of the Jericho Forum challenge four years ago and continues to follow many of the Jericho Forum design principles, championing the cause of open source” said Ian Dobson, Director of the Jericho Forum.
AppGate has developed a real solution to the challenge of securing IT architecture in today’s open-collaboration environment, and it runs on OpenSolaris, a UNIX-based operating system.” In AppGate's solution, the central firewall is replaced by a set of distributed firewalls that are installed on all clients and servers. These firewalls are centrally controlled and configured dynamically to allow or deny traffic on the network. Making AppGate’s security server available on the OpenSolaris operating system is consistent with its corporate rollout strategy, and AppGate regards it as the next phase of evolution in the IT security market.
“At AppGate we have always been a great supporter of the principles of open source”, says Tomas Olovsson CTO of AppGate. “MindTerm, one of our products has been available as source code and free of charge for personal and limited commercial use for many years. By launching the AppGate Free Edition we are following the same principle, giving people the unique opportunity to freely test and use the functionality of the AppGate solution even in smaller commercial environments.”
AppGate will be demonstrating the V9.0 security server at InfoSecurity Europe on stand R70 between April 28th and April 30th. AppGate won the first Jericho Forum Challenge in 2005 with a paper entitled “Balancing the Equation; Enterprises moving to the de-perimeterised world need to adopt a ‘core’ mentality based on controlled access to systems”.
As always AppGate security servers build on existing proven functionality such as:
Application Layer Firewall
Mobile & Fixed VPN
Granular & Role based Access
End-point Security Control
Monday 20 April 2009
How to cope with Tvitter and Facebook from a security perspective
I have touched upon this subject before but it is worth mentioning again. As a an employer you need to figure out a way to live with the likes of Facebook and Twitter. There are three alternatives; first: do nothing and create a potential security threat, second: make sure that no-one can access those during working hours and live with that valuable employees will leave your organisation or third: deal with the problem using security tools. I believe that as an employer you need to accept the fact that your employees will live a part of their life in cyberspace and I actually do not think that that behaviour is a bad thing. The difference between "private" and "work" is now more blurred then ever. See your team’s activities on Facebook and Twitter as new marketing channels. They can be excellent tools to create loyalty to your company.
From a security standpoint this is the company version of "split tunnelling", the same time a user is connected to a secure internal networks the user is also connected to the outside to an application that can be rated as unsecure. Today there are many ways to deal with this problem, last week we installed a solution that connected the user not directly to the web but through a terminal server at the same time as they where connected to internal applications. I think that we in the future also will se more virtual instances on the PC.
From a security standpoint this is the company version of "split tunnelling", the same time a user is connected to a secure internal networks the user is also connected to the outside to an application that can be rated as unsecure. Today there are many ways to deal with this problem, last week we installed a solution that connected the user not directly to the web but through a terminal server at the same time as they where connected to internal applications. I think that we in the future also will se more virtual instances on the PC.
Friday 17 April 2009
Pirate Bay is now Pirate Jail
I guess that everybody knows by now...Pirate Bay is now Pirate Jail. (Thanks Fredrik for the tip) as the founders of Pirate Bay today was sentenced to one year in prison,
Think architecture-not products
Most security products are by tradition point products targeted to solve one or (if you are lucky) two problems at the time. I have a history in networking and every time we did anything we talked about the implications from an architecture perspective. The main purpose was to make sure that that the traffic in the network was running as efficient as possible (with as much up-time as possible).
In the security space we often seem to lack this knowledge. We gladly add new products into the network without thinking about if they co-exist with other parts of the infrastructure. We add new mobile solutions that does not work with the authentication system, we add access systems that does not work with the LDAP system, we install BIG firewalls and leave the network open, we build a DMZ and then we let PC:s connect behind the DMZ the same time (split tunnelling...) etc etc.
So learn from the networking people and think from an architecture point of view, I bet there is money to be saved from this approach.
In the security space we often seem to lack this knowledge. We gladly add new products into the network without thinking about if they co-exist with other parts of the infrastructure. We add new mobile solutions that does not work with the authentication system, we add access systems that does not work with the LDAP system, we install BIG firewalls and leave the network open, we build a DMZ and then we let PC:s connect behind the DMZ the same time (split tunnelling...) etc etc.
So learn from the networking people and think from an architecture point of view, I bet there is money to be saved from this approach.
Thursday 16 April 2009
Will better applications save the world?
First of all, I hope that you enjoyed your Easter...I did and therefore I been away from my blog...
I have been involved in an discussion about how much better the world would be if all programmers could make applications more secure from start. Apparently this would save an awful amount of money and would make all security products unnecessary. In a way I think that the notion is fairly insulting to all programmers in the world, of course that are rotten eggs among the community, but I think that most wants to do a good job.
I claim that even if all applications where perfect (from a security point of view..) we still would need security applications as the biggest problem in security is the access problem. Who, when, how etc etc should get access to information. In general it is too easy to access information.
I do not believe that it is possible for all applications to have granular access control, encrypted transmission etc. I agree that applications (and especially operating systems) could more secure but believing that this is the “silver bullet” to make the world more secure is fairly naïve.
I have been involved in an discussion about how much better the world would be if all programmers could make applications more secure from start. Apparently this would save an awful amount of money and would make all security products unnecessary. In a way I think that the notion is fairly insulting to all programmers in the world, of course that are rotten eggs among the community, but I think that most wants to do a good job.
I claim that even if all applications where perfect (from a security point of view..) we still would need security applications as the biggest problem in security is the access problem. Who, when, how etc etc should get access to information. In general it is too easy to access information.
I do not believe that it is possible for all applications to have granular access control, encrypted transmission etc. I agree that applications (and especially operating systems) could more secure but believing that this is the “silver bullet” to make the world more secure is fairly naïve.
Thursday 2 April 2009
Another day...another rumour
I was really expecting something interesting to happen the first of April related to the virus that was expected to explode. I have searched for info but I have not seen any...so I have a question: are we now so good to handle viruses that we dealt with the problem...or did vendors use this threat to save their first quarter numbers?
Subscribe to:
Posts (Atom)
